kig rat

CAPESandbox · Jul 23, 2024 · d3b397d · d3b397d
1 parent d0da2dc
commit d3b397d
Show file tree

Hide file tree

Showing 3 changed files with 34 additions and 1 deletion.
diff --git a/data/yara/CAPE/VenomRAT.yar b/data/yara/CAPE/VenomRAT.yar
@@ -19,7 +19,7 @@ rule VenomRAT {
 rule venomrat_kingrat {
     meta:
         author = "jeFF0Falltrades"
-		cape_type = "VenomRat Payload"
+	cape_type = "VenomRat Payload"
 
     strings:
         $str_id_venomrat = "venomrat" wide ascii nocase

diff --git a/data/yara/CAPE/XWorm.yar b/data/yara/CAPE/XWorm.yar
@@ -25,3 +25,22 @@ rule XWorm {
     condition:
         uint16(0) == 0x5a4d and ((1 of ($x*) and (3 of ($s*) or 3 of ($v2*))) or 6 of them)
 }
+
+rule xworm_kingrat {
+    meta:
+        author = "jeFF0Falltrades"
+        cape_type = "Xworm payload"
+    strings:
+        $str_xworm = "xworm" wide ascii nocase
+        $str_xwormmm = "Xwormmm" wide ascii
+        $str_xclient = "XClient" wide ascii
+        $str_default_log = "\\Log.tmp" wide ascii
+        $str_create_proc = "/create /f /RL HIGHEST /sc minute /mo 1 /t" wide ascii 
+        $str_ddos_start = "StartDDos" wide ascii 
+        $str_ddos_stop = "StopDDos" wide ascii
+        $str_timeout = "timeout 3 > NUL" wide ascii
+        $byte_md5_hash = { 7e [3] 04 28 [3] 06 6f }
+        $patt_config = { 72 [3] 70 80 [3] 04 }
+    condition:
+        5 of them and #patt_config >= 7
+ }
diff --git a/data/yara/CAPE/Xenorat.yar b/data/yara/CAPE/Xenorat.yar
@@ -0,0 +1,14 @@
+ rule xenorat {
+    meta:
+        author = "jeFF0Falltrades"
+        cape_type = "Xenorat payload"
+    strings:
+        $str_xeno_rat_1 = "xeno rat" wide ascii nocase
+        $str_xeno_rat_2 = "xeno_rat" wide ascii nocase
+        $str_xeno_update_mgr = "XenoUpdateManager" wide ascii
+        $str_nothingset = "nothingset" wide ascii 
+        $byte_enc_dec_pre = { 1f 10 8d [4] (0a | 0b) }
+        $patt_config = { 72 [3] 70 80 [3] 04 }
+    condition:
+        4 of them and #patt_config >= 5
+ }